Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: IPS Testing

From: Daniel Clemens <daniel.clemens () packetninjas net>
Date: Mon, 14 Jan 2008 16:23:30 -0600
On Thu, 2008-01-03 at 14:26 +0530, pentestr wrote:


Hi,
I am doing a PT for a customer and found that after running nessus against the target our IP is getting blocked permanently. I want to show this issue to the customer. 1. Is there any specific tool that can generate nessus traffic by spoofing IPs? 2. Is there any tool that can change IP on the fly? While running nessus that should change source IP? 

You can spoof your ip with Nmap, or even unicornscan.
The problem is you will basically be spoofing the initial SYN request , assuming your upstream provider doesn't do ingress/egress filtering.
I want to confirm this issue of the IPS. If the IPS is blocking traffic then by spoofing other IP I can block service to them and It will become a CRITICAL issue because an attacker can spoof IP ranges and it could lead to DOS.
If your trying to prove this point you may want to spoof traffic coming from all the DNS root servers or traffic coming from 127.0.0.1 and the upstream routers of your client's subnet. 

-Daniel Clemens

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: